CVE-2009-4929

2010-07-0917:00:00

mitre

www.cve.org

6.8 Medium

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

82.8%

JSON

admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.

References

secunia.com/advisories/34824

www.exploit-db.com/exploits/8496

www.securityfocus.com/bid/34619